Data Security Requires Constant Reminders

Instead of a big training session that companies
might just "roll their eyes and tune out," organizations should make
information security a part of the business process, Shaul said. This
can be in the form of signs and other visual cues reminding users they
can't copy data onto unsecured drives, similar to how there are signs
reminding users to use a shredder for sensitive documents, Application Security's Shaul said.

Even the best trained and security-savvy employee
can make mistakes. So even with education in place, policy needs to be
defined so that mistakes can be caught and to keep honest people
honest, Ken Ammon, chief strategy officer at Xceedium, told eWEEK.

Good processes should prevent unsafe handling of
information because they catch instances when the user is lax, Webb
said. For example, forcing the employee to do a final check and
documenting that the documents were copied to the correct server would
ensure that mistakes are caught before it becomes a breach.

A security breach at the University of South
Carolina Sumter exposed the Social Security numbers and other personal
identifying information on the Internet for nearly 31,000 faculty,
staff, retirees and students, according to TheState.com. While the
breach was discovered in January, the university waited until March 1 to
notify affected users, because the university wanted to ensure all
affected people had been identified, USC spokeswoman Margaret Lamb told
The State.

The breached server was located on the USC Sumter
campus, but all eight campuses were affected, the university said. The
security breach was caused by human error, but USC declined to provide additional details.

Technical controls need to be in place as the last
line of defense against accidental breaches, Credant Technologies' Webb said. As the user
makes mistakes caused by lack of knowledge and the processes are not
there to correct those mistakes, then having technology in place to
catch violations would prevent the breach from happening. For example,
software that prevents sensitive information to be written on flash
drives, even temporarily, would ensure data won't leave the corporate
environment if the device is lost, he said.

Data breaches are a growing problem. The 2010 data
breach report from Ponemon Institute found that the average cost of a
data breach is approximately $7.2 million. That hefty price tag
includes the cost of hiring a third-party security auditor with
computer forensics knowledge to investigate what happened and fix the
issue, notifying all the users and the state government, setting up a
call center that can handle questions from worried victims, paying for
credit monitoring services, lost productivity and sales as customers
leave, Shaul said. In a heavily regulated industry, compliance fines
can also increase the cost of the breach, he said.